Bump the github-owned-actions group across 1 directory with 6 updates

[dependabot]

Bumps the github-owned-actions group with 6 updates in the / directory:

Package	From	To
github/codeql-action	3.29.10	3.30.3
actions/stale	9.1.0	10.0.0
github/cleanowners	1.2.5	1.2.6
github/contributors	1.5.11	1.7.1
actions/dependency-review-action	4.7.2	4.7.3
github/evergreen	1.24.1	1.24.2

Updates github/codeql-action from 3.29.10 to 3.30.3

Release notes

Sourced from github/codeql-action's releases.

v3.30.3

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.3 - 10 Sep 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v3.30.2

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.2 - 09 Sep 2025

• Fixed a bug which could cause language autodetection to fail. #3084
• Experimental: The quality-queries input that was added in 3.29.2 as part of an internal experiment is now deprecated and will be removed in an upcoming version of the CodeQL Action. It has been superseded by a new analysis-kinds input, which is part of the same internal experiment. Do not use this in production as it is subject to change at any time. #3064

See the full CHANGELOG.md for more information.

v3.30.1

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.1 - 05 Sep 2025

• Update default CodeQL bundle version to 2.23.0. #3077

See the full CHANGELOG.md for more information.

v3.30.0

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.0 - 01 Sep 2025

• Reduce the size of the CodeQL Action, speeding up workflows by approximately 4 seconds. #3054

See the full CHANGELOG.md for more information.

v3.29.11

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

... (truncated)

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

• We have improved the CodeQL Action's ability to validate that the workflow it is used in does not use different versions of the CodeQL Action for different workflow steps. Mixing different versions of the CodeQL Action in the same workflow is unsupported and can lead to unpredictable results. A warning will now be emitted from the codeql-action/init step if different versions of the CodeQL Action are detected in the workflow file. Additionally, an error will now be thrown by the other CodeQL Action steps if they load a configuration file that was generated by a different version of the codeql-action/init step. #3099 and #3100
• We added support for reducing the size of dependency caches for Java analyses, which will reduce cache usage and speed up workflows. This will be enabled automatically at a later time. #3107
• You can now run the latest CodeQL nightly bundle by passing tools: nightly to the init action. In general, the nightly bundle is unstable and we only recommend running it when directed by GitHub staff. #3130

3.30.3 - 10 Sep 2025

No user facing changes.

3.30.2 - 09 Sep 2025

• Fixed a bug which could cause language autodetection to fail. #3084
• Experimental: The quality-queries input that was added in 3.29.2 as part of an internal experiment is now deprecated and will be removed in an upcoming version of the CodeQL Action. It has been superseded by a new analysis-kinds input, which is part of the same internal experiment. Do not use this in production as it is subject to change at any time. #3064

3.30.1 - 05 Sep 2025

• Update default CodeQL bundle version to 2.23.0. #3077

3.30.0 - 01 Sep 2025

• Reduce the size of the CodeQL Action, speeding up workflows by approximately 4 seconds. #3054

3.29.11 - 21 Aug 2025

• Update default CodeQL bundle version to 2.22.4. #3044

3.29.10 - 18 Aug 2025

No user facing changes.

3.29.9 - 12 Aug 2025

No user facing changes.

3.29.8 - 08 Aug 2025

• Fix an issue where the Action would autodetect unsupported languages such as HTML. #3015

3.29.7 - 07 Aug 2025

This release rolls back 3.29.6 to address issues with language autodetection. It is identical to 3.29.5.

3.29.6 - 07 Aug 2025

• The cleanup-level input to the analyze Action is now deprecated. The CodeQL Action has written a limited amount of intermediate results to the database since version 2.2.5, and now automatically manages cleanup. #2999

... (truncated)

Commits

• 192325c Merge pull request #3104 from github/update-v3.30.3-b660efdcf
• e68956d Update changelog for v3.30.3
• b660efd Merge pull request #3103 from github/mbg/fix/category-check
• e49458b Fix runInterpretResultsFor using the wrong AnalysisConfig for category fix
• f374a62 Merge pull request #3098 from github/kaspersv/increase-overlay-base-size-limit
• 5efa438 Merge pull request #3101 from github/mbg/public-repo-notice-in-pr-template
• 8a84a62 Overlay: Increase size limit for cached overlay base database
• eb50a88 Merge pull request #3097 from github/redsun82/only-dump-sarif
• 4c53461 Tweak sarif dump log
• dae3742 Dump soon to be uploaded SARIF on request
• Additional commits viewable in compare view

Updates actions/stale from 9.1.0 to 10.0.0

Release notes

Sourced from actions/stale's releases.

v10.0.0

What's Changed

Breaking Changes

• Upgrade to node 24 by @​salmanmkc in actions/stale#1279 Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. Release Notes

Enhancement

• Introducing sort-by option by @​suyashgaonkar in actions/stale#1254

Dependency Upgrades

• Upgrade actions/publish-immutable-action from 0.0.3 to 0.0.4 by @​dependabot[bot] in actions/stale#1186
• Upgrade undici from 5.28.4 to 5.28.5 by @​dependabot[bot] in actions/stale#1201
• Upgrade @​action/cache from 4.0.0 to 4.0.2 by @​aparnajyothi-y in actions/stale#1226
• Upgrade @​action/cache from 4.0.2 to 4.0.3 by @​suyashgaonkar in actions/stale#1233
• Upgrade undici from 5.28.5 to 5.29.0 by @​dependabot[bot] in actions/stale#1251
• Upgrade form-data to bring in fix for critical vulnerability by @​gowridurgad in actions/stale#1277

Documentation changes

• Changelog update for recent releases by @​suyashgaonkar in actions/stale#1224
• Permissions update in Readme by @​ghadimir in actions/stale#1248

New Contributors

• @​suyashgaonkar made their first contribution in actions/stale#1224
• @​GhadimiR made their first contribution in actions/stale#1248
• @​gowridurgad made their first contribution in actions/stale#1277
• @​salmanmkc made their first contribution in actions/stale#1279

Full Changelog: actions/stale@v9...v10.0.0

Commits

• 3a9db7e Upgrade to node 24 (#1279)
• 8f717f0 Bumps form-data (#1277)
• a92fd57 build(deps): bump undici from 5.28.5 to 5.29.0 (#1251)
• 128b2c8 Introducing sort-by option (#1254)
• f78de97 Update README.md (#1248)
• 816d9db Upgrade @​action/cache from 4.0.2 to 4.0.3 (#1233)
• ba23c1c upgrade actions/cache from 4.0.0 to 4.0.2 (#1226)
• a65e88a build(deps): bump undici from 5.28.4 to 5.28.5 (#1201)
• d4df79c Updates to CHANGELOG.MD for recent releases (#1224)
• ee7ef89 build(deps): bump actions/publish-immutable-action from 0.0.3 to 0.0.4 (#1186)
• See full diff in compare view

Updates github/cleanowners from 1.2.5 to 1.2.6

Release notes

Sourced from github/cleanowners's releases.

v1.2.6

Changelog

🧰 Maintenance

• chore(deps): bump the dependencies group with 4 updates @dependabot[bot] (#268)
• chore(deps): bump the dependencies group with 2 updates @dependabot[bot] (#270)
• chore(deps): bump python from 8220cce to 27f90d7 @dependabot[bot] (#267)
• chore(deps): bump python from 3.13-slim to 3.13.7-slim in the dependencies group @dependabot[bot] (#266)
• chore(deps): bump the dependencies group with 2 updates @dependabot[bot] (#265)
• chore(deps): bump actions/checkout from 4.2.2 to 5.0.0 @dependabot[bot] (#264)

See details of all code changes since previous release

Commits

• 687c799 chore(deps): bump the dependencies group with 4 updates (#268)
• 2fb8f13 chore(deps): bump the dependencies group with 2 updates (#270)
• 95afdf4 Merge pull request #267 from github/dependabot/docker/python-27f90d7
• e2cfedb chore(deps): bump python from 8220cce to 27f90d7
• c142cbc chore(deps): bump python from 3.13-slim to 3.13.7-slim in the dependencies gr...
• 3220b83 chore(deps): bump the dependencies group with 2 updates (#265)
• 215f440 chore(deps): bump actions/checkout from 4.2.2 to 5.0.0 (#264)
• See full diff in compare view

Updates github/contributors from 1.5.11 to 1.7.1

Release notes

Sourced from github/contributors's releases.

v1.7.1

Changelog

🧰 Maintenance

• chore(deps): bump the dependencies group with 4 updates @dependabot[bot] (#320)
• chore(deps): bump the dependencies group with 2 updates @dependabot[bot] (#322)
• chore(deps): bump python from 8220cce to 27f90d7 @dependabot[bot] (#318)
• chore(deps): bump requests from 2.32.4 to 2.32.5 in the dependencies group @dependabot[bot] (#319)

See details of all code changes since previous release

v1.7.0

Changelog

🚀 Features

• feat: Add GitHub Actions Job Summary support for contributor reports @copilot-swe-agent[bot] (#314)

See details of all code changes since previous release

v1.6.0

Changelog

🚀 Features

• feat: copilot files (instructions and setup steps) @​jmeridth (#315)

🧰 Maintenance

• chore(deps): bump the dependencies group with 2 updates @dependabot[bot] (#312)
• chore(deps): bump actions/checkout from 4.2.2 to 5.0.0 @dependabot[bot] (#313)
• chore(deps): bump python from 3.13-slim to 3.13.7-slim in the dependencies group @dependabot[bot] (#311)

See details of all code changes since previous release

Commits

• a274afd chore(deps): bump the dependencies group with 4 updates (#320)
• 47851f0 chore(deps): bump the dependencies group with 2 updates (#322)
• 4f538cc Merge pull request #318 from github/dependabot/docker/python-27f90d7
• ae715be Merge pull request #319 from github/dependabot/pip/dependencies-23f06ca20f
• 85b0a41 chore(deps): bump requests in the dependencies group
• 855b4ac chore(deps): bump python from 8220cce to 27f90d7
• ae62be2 Merge pull request #314 from github/copilot/fix-91
• 0d18d30 Merge branch 'main' into copilot/fix-91
• 62504d0 docs: update comments to reflect new functionality
• 7c59b4f test: increase test coverage of markdown writing to improve confidence
• Additional commits viewable in compare view

Updates actions/dependency-review-action from 4.7.2 to 4.7.3

Release notes

Sourced from actions/dependency-review-action's releases.

4.7.3

What's Changed

• Add explicit permissions to workflow files by @​AshelyTC in actions/dependency-review-action#966
• Claire153/fix spamming mentioned issue by @​claire153 in actions/dependency-review-action#974

Full Changelog: actions/dependency-review-action@v4...v4.7.3

Commits

• 595b5ae Update package version (#975)
• fc5fd66 Claire153/fix spamming mentioned issue (#974)
• d38d1a4 Merge pull request #965 from actions/dependabot/npm_and_yarn/multi-c22e25d29b
• 8d420b8 Merge branch 'main' into dependabot/npm_and_yarn/multi-c22e25d29b
• bde0129 Merge pull request #966 from actions/ashelytc/add-permissions
• ab52490 remove ruby
• ef00a0a add permissions to workflows
• 74c8179 Bump brace-expansion
• See full diff in compare view

Updates github/evergreen from 1.24.1 to 1.24.2

Release notes

Sourced from github/evergreen's releases.

v1.24.2

Changelog

🧰 Maintenance

• chore(deps): bump the dependencies group with 4 updates @dependabot[bot] (#408)
• chore(deps): bump the dependencies group with 2 updates @dependabot[bot] (#410)
• chore(deps): bump python from 3.13.6-slim to 3.13.7-slim in the dependencies group @dependabot[bot] (#407)
• chore(deps): bump ruamel-yaml from 0.18.14 to 0.18.15 in the dependencies group @dependabot[bot] (#405)
• chore(deps): bump types-pyyaml from 6.0.12.20250809 to 6.0.12.20250822 @dependabot[bot] (#406)
• chore(deps): bump github/codeql-action from 3.29.8 to 3.29.10 in the dependencies group @dependabot[bot] (#403)
• chore(deps): bump requests from 2.32.4 to 2.32.5 in the dependencies group @dependabot[bot] (#404)

See details of all code changes since previous release

Commits

• 4e2fef1 chore(deps): bump the dependencies group with 4 updates (#408)
• 2579e3f chore(deps): bump the dependencies group with 2 updates (#410)
• 59e2d2e Merge pull request #407 from github/dependabot/docker/dependencies-ce352a03d6
• 9052ae0 Upgrade git version in Dockerfile
• 81981e5 Merge branch 'main' into dependabot/docker/dependencies-ce352a03d6
• 58d0407 chore(deps): bump python in the dependencies group
• 89d899c Merge pull request #405 from github/dependabot/pip/dependencies-ad2fef8781
• 21ad423 Merge pull request #406 from github/dependabot/pip/types-pyyaml-6.0.12.20250822
• 0da26dc chore(deps): bump types-pyyaml from 6.0.12.20250809 to 6.0.12.20250822
• 48a5568 chore(deps): bump ruamel-yaml in the dependencies group
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot will merge this PR once CI passes on it, as requested by @justaugustus.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see actions/dependency-review-action/issues/938.

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
actions/github/codeql-action/upload-sarif	192325c86100d080feab897ff886c34abd4c83a3	Unknown	Unknown
actions/actions/stale	3a9db7e6a41a89f618792c92c0e97cc736e1b13f	🟢 5.3	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained ⚠️ 2 3 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 1 branch protection is not maximal on development and all release branches SAST 🟢 6 SAST tool is not run on all commits -- score normalized to 6 Vulnerabilities 🟢 7 3 existing vulnerabilities detected
actions/github/cleanowners	687c79962d8efe42ed9572d228c13a43d460d13d	🟢 7.3	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Maintained 🟢 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Code-Review ⚠️ 0 Found 0/1 approved changesets -- score normalized to 0 Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Vulnerabilities 🟢 10 0 existing vulnerabilities detected License 🟢 10 license file detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected SAST ⚠️ -1 internal error: internal error: Client.Checks.ListCheckRunsForRef: error during graphqlHandler.setupCheckRuns: non-200 OK status code: 502 Bad Gateway body: "\r\n<title>502 Bad Gateway</title>\r\n\r\n 502 Bad Gateway \r\n nginx\r\n\r\n\r\n" CI-Tests ⚠️ -1 internal error: internal error: Client.Repositories.ListCheckRunsForRef: error during graphqlHandler.setupCheckRuns: non-200 OK status code: 502 Bad Gateway body: "\r\n<title>502 Bad Gateway</title>\r\n\r\n 502 Bad Gateway \r\n nginx\r\n\r\n\r\n" Signed-Releases ⚠️ -1 no releases found Fuzzing ⚠️ 0 project is not fuzzed Security-Policy 🟢 10 security policy file detected Contributors 🟢 10 project has 13 contributing companies or organizations Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches
actions/github/contributors	a274afd4ff1bd4d115a0163207db2603c8733149	🟢 7.7	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Dependency-Update-Tool 🟢 10 update tool detected Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review 🟢 5 Found 1/2 approved changesets -- score normalized to 5 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Vulnerabilities 🟢 10 0 existing vulnerabilities detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected SAST ⚠️ -1 internal error: internal error: Client.Checks.ListCheckRunsForRef: error during graphqlHandler.setupCheckRuns: non-200 OK status code: 502 Bad Gateway body: "\r\n<title>502 Bad Gateway</title>\r\n\r\n 502 Bad Gateway \r\n nginx\r\n\r\n\r\n" CI-Tests ⚠️ -1 internal error: internal error: Client.Repositories.ListCheckRunsForRef: error during graphqlHandler.setupCheckRuns: non-200 OK status code: 502 Bad Gateway body: "\r\n<title>502 Bad Gateway</title>\r\n\r\n 502 Bad Gateway \r\n nginx\r\n\r\n\r\n" License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 10 security policy file detected Contributors 🟢 10 project has 13 contributing companies or organizations Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches
actions/actions/dependency-review-action	595b5aeba73380359d98a5e087f648dbb0edce1b	🟢 7.9	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy 🟢 9 security policy file detected Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Pinned-Dependencies ⚠️ 2 dependency not pinned by hash detected -- score normalized to 2 Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 6 branch protection is not maximal on development and all release branches SAST 🟢 10 SAST tool is run on all commits Vulnerabilities 🟢 9 1 existing vulnerabilities detected
actions/github/evergreen	4e2fef1a4c2344c0ba63451f31705158d112a141	🟢 7.7	Details Check Score Reason Code-Review ⚠️ 0 Found 0/1 approved changesets -- score normalized to 0 Packaging ⚠️ -1 packaging workflow not detected Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 4 dependency not pinned by hash detected -- score normalized to 4 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege License 🟢 10 license file detected CII-Best-Practices 🟢 5 badge detected: Passing Signed-Releases ⚠️ -1 no releases found Vulnerabilities 🟢 10 0 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed Security-Policy 🟢 10 security policy file detected SAST 🟢 10 SAST tool is run on all commits Contributors 🟢 10 project has 15 contributing companies or organizations Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches CI-Tests 🟢 10 23 out of 23 merged PRs checked by a CI test -- score normalized to 10

Scanned Files

• .github/workflows/_scorecard.yml
• .github/workflows/_stale.yml
• .github/workflows/clean-owners.yml
• .github/workflows/contributor-report.yml
• .github/workflows/dependency-review.yml
• .github/workflows/evergreen-check.yml

[justaugustus]

@dependabot squash and merge

[dependabot]

Beginning January 27, 2026, Dependabot will no longer support the @dependabot squash and merge command. Please use GitHub's native pull request controls instead. Please see the changelog announcement for additional details.

[dependabot]

One of your CI runs failed on this pull request, so Dependabot won't merge it.

Dependabot will still automatically merge this pull request if you amend it and your tests pass.